Establishing deterrence in cyberspace

According to the Identity Theft Resource Centre (2021), the total number of data breaches in 2021 was 1,291 as compared to 1,108 in 2020. Cybersecurity experts estimate that global cybercrimes would cost $10.5 trillion annually by 2025. This require states to adopt robust and efficient strategies and maintain effective deterrence to mitigate cyber-related threats.

The threat of cyber Pearl Harbor can be traced back to the World Wide Web’s (www) prominence since the 1990s. Sean Lawson and Michael K Middleton (2019) explain cyber Pearl Harbor as “catastrophic physical impacts from cyberattacks on critical infrastructure”. Terminologies such as cyberwars, cyberattacks, and cyber-intrusions have penetrated into the discourse of state security as they threaten countries with novel aspects of warfare. Having said that, a cyber Pearl Harbor as of yet remains hypothetical. However, low-stakes cyber-operations involving state- and non-state actors, as well as high-stakes cyber-operations among big powers, are carried out frequently.

Pakistan ranks 79th in the Global Cybersecurity Index. However, in the global trend of cyberattacks, Pakistan is no exception. For instance, some recent major cyber-incidents in Pakistan have been directed toward banking and energy infrastructures. These include K-Electric, Federal Board of Revenue, and National Bank of Pakistan. Moreover, the intercept in 2016 reported that Pakistan’s senior civilian and security officials have remained a constant target of cyber-espionage by the US National Security Agency (NSA). It was also reported by ISPR in 2020 that Indian intelligence agencies were involved in cybercrimes against government officials and military personnel in Pakistan.

In the same context, a 2021 report by Amnesty International highlighted that Pegasus spyware was used by India against Pakistan. A related article published by in November last year highlighted how a hacker group based in India launched cyberattacks on government and security departments in Pakistan and China.

Pakistan’s National Cybersecurity Policy 2021 mentions taking retaliatory measures in case of aggression on Pakistan’s critical infrastructure. Its objective states, “[It] will regard a cyberattack on Pakistan CI/ CII as an act of aggression against national sovereignty and will defend itself with appropriate response measures.” However, the deterrence mechanism mainly followed by the policy is deterrence by denial – denying any benefit to the attacker. This does not maintain complete cyber-deterrence. An asymmetric cyberattack may require adequate defence, but to deter a large-scale symmetric cyberattack, cyber-defence coupled with non-cyber means of retaliation would maintain an effective deterrence. Hence, states have incorporated retaliatory measures in their cybersecurity policies and nuclear doctrines. For instance, the US Department of Defense 2018 Cyber Strategy is offensive in nature and states the development of a lethal joint force for countering malicious cyber-actors.

According to a recent statement by Pakistan’s leadership, Pakistan’s IT exports are expected to reach $50 billion within the next few years. This is certainly a path to a resilient digital infrastructure. However, to defend the cyber frontiers, earnest implementation of the cyber security policy will be helpful in deterring cyberattacks.

Maintaining deterrence in cyberspace is an uphill climb, yet not impossible. Strong cybersecurity infrastructure is integral to minimising cyber-vulnerabilities. Alongside policy implementation and strengthening the regulatory mechanism, further investments in emerging technologies must be made. This will help augment cyber-defence, create an effective deterrence posture, and enhance the indigenous cyber-capability of Pakistan.

Published in The Express Tribune, April 9^th, 2022.

Like Opinion & Editorial on Facebook, follow @ETOpEd on Twitter to receive all updates on all our daily pieces.